Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Terry Ray
Terry Ray
Connect Directly
E-Mail vvv

Is 2019 the Year of the CISO?

The case for bringing the CISO to the C-suite's risk and business-strategy table.

PwC reported that 81% of investors and analysts responding to its 2018 Global Investor Survey ranked cybersecurity among the top three threats to business; more than half of those said that cybersecurity was the No. 1 biggest threat to business. The natural upshot should be that the CISO is more important to business strategy — but in many cases, that's an uphill climb.

The traditional view of the CISO is that of a specialized mini-CIO — existing to achieve compliance, put out security fires, and stand in as a scapegoat for when something inevitably goes wrong so the CIO doesn't have to take the heat. A case in point: Target had no CISO when it suffered its infamous point-of-sale mega breach in 2013; consequently, it was Target's then CIO who was compelled to resign shortly thereafter. Only then did Target create and fill a CISO position, answering to the new CIO.

Across both the private sector and the public sector, the plurality of CISOs report to the CIO. A subset of enterprise organizations, however, are increasingly realizing that this is a suboptimal approach.

For starters, many have recognized that a CIO having a CISO answer to him or her presents a conflict of interest because the CIO and CISO each have different budgetary interests and are measured against different objectives. Whereas CISOs are so security-driven that "security" is right in their job titles, CIOs are pressured to make decisions that favor business agility above all else; security is an afterthought compared with functional viability. Meanwhile, CISOs have "security" in their job titles for a reason — but a CISO who reports to a CIO or other IT operations manager is unlikely to report his or her boss to the legal department for inevitable compliance failures.

Over the past few years, Congressional staffers, federal, and state regulatory bodies, and industry collaboratives alike have made these same observations — specifically dictating that CISOs report to a risk officer, the general counsel, the CEO, or even straight up to the board of directors. Lately, these recommendations and requirements have begun to take hold. A May 2018 industry report from Dark Reading about the role of CISOs notes that the CISOs have at least a "dotted reporting structure" — if not a direct one — to boards and/or CEOs. And this reporting structure is crucial when it comes not only for mitigating liability and compliance risks (i.e., so that, after an inevitable data breach, the company can show regulators that its board of directors and CEO met with the CISO on cybersecurity issues x number of times every year), but also for crafting cybersecurity and data-stewardship solutions for effective business strategy going forward. Without the CISO, boards and CEOs may not even be able to identify the right questions to ask or the right problems to solve in the first place.

The whole concept of a CIO indicates that that person has full control of the company's infrastructure and IT decisions. A CISO would typically be a part of that, but that's not necessarily reflective of what the pecking order should be. Just because the CISO will work extensively with the CIO doesn't mean that the CISO should report to the CIO — just like the general counsel shouldn't report to the executive vice president of sales just because the legal department has to work extensively with the sales teams. These are separate entities working together incidentally — and the IT team and the information security team are likewise separate from each other.

This is because the CISO position is no longer a niche technology role. Cyber presence is sufficiently ubiquitous today that, for many enterprise organizations, the Internet is their primary (if not only) go-to-market platform. In this environment, the CISO's job must be one to step to the forefront and evangelize the following bullet points:

  • "We are under attack." There are constant attempted cyberattacks — usually automated — every single day against every major enterprise.
  • "Our attackers will succeed, eventually." Everybody's being breached. We, too, will be breached someday (assuming we haven't been breached already). We must be prepared with the knowledge and tools to minimize and respond both during and after a breach.
  • "Cybersecurity is a business issue — not a tech issue." How we manage our cyber presence and secure our data drastically affects our ability to do business — from an accessibility standpoint, from a brand-trust standpoint, and from a regulatory compliance standpoint.

All of these bullet points combined make for a grander and more important message, which is one that investors already know: "Cybersecurity is about extreme monetary risk."

And there you have it. CISOs deal with far heavier risk assessment and risk management issues than do generalist IT leaders — to the point where their job is all about risk and only incidentally about IT, rather than the other way around. The CISO job therefore needs to just be part of the organization's risk hierarchy instead of the IT department. The CISO is, first and foremost, a risk manager — a digitally present risk manager, but a risk manager nonetheless.

Let the CISO answer accordingly.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Terry Ray has global responsibility for Imperva's technology strategy. He was the first US-based Imperva employee, and has been with the company for 14 years. He works with organizations around the world to help them discover and protect sensitive data, minimize risk for ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...